Merge branch 'main' into colmurph/update-wasi-test-nightly

Author: cdmurph32

Cargo.lock

@@ -56,7 +56,7 @@ wasi = "0.14"
 wstd = "0.5"
 
 [dev-dependencies]
-mockall = "0.13.0"
+mockall = "0.14.0"
 
 [target.'cfg(not(target_os = "wasi"))'.dev-dependencies]
 assert_cmd = "2.0.14"

cli/Cargo.toml

@@ -156,12 +156,12 @@ pkcs8 = "0.10.2"
 png_pong = "0.9.1"
 quick-xml = "0.38.3"
 rand = "0.8.5"
-rand_chacha = "0.3.1"
+rand_chacha = { version = "0.9.0", features = ["os_rng"] }
 range-set = "0.0.11"
-rasn = "0.26.0"
-rasn-cms = "0.26.0"
-rasn-ocsp = "0.26.0"
-rasn-pkix = "0.26.0"
+rasn = "0.28.2"
+rasn-cms = "0.28.2"
+rasn-ocsp = "0.28.2"
+rasn-pkix = "0.28.2"
 regex = "1.11"
 riff = "2.0.0"
 rsa = { version = "0.9.10", features = ["pem", "sha2", "std"], optional = true }
@@ -289,7 +289,7 @@ glob = "0.3.1"
 hex-literal = "1.0.0"
 jumbf = "0.4.0"
 c2pa_macros = { path = "../macros" }
-mockall = "0.13.1"
+mockall = "0.14.0"
 
 [target.'cfg(all(target_arch = "wasm32", not(target_os = "wasi")))'.dev-dependencies]
 wasm-bindgen-test = "0.3.55"

sdk/Cargo.toml

@@ -1259,7 +1259,7 @@ impl Builder {
                     // are resolved to their hashed URIs.
                     self.add_actions_assertion_settings(&ingredient_map, &mut actions)?;
 
-                    claim.add_assertion(&actions)
+                    add_assertion(&mut claim, &actions, manifest_assertion.created())
                 }
                 #[allow(deprecated)]
                 CreativeWork::LABEL => {
@@ -4026,4 +4026,49 @@ mod tests {
 
         Ok(())
     }
+
+    #[test]
+    fn actions_created_assertion() {
+        let mut dest = Cursor::new(Vec::new());
+        Builder::new()
+            .with_definition(
+                json!({
+                  "assertions": [
+                    {
+                      "label": "c2pa.actions",
+                      "data": {
+                        "actions": [
+                          {
+                            "action": "c2pa.created",
+                            "digitalSourceType": "http://c2pa.org/digitalsourcetype/empty"
+                          }
+                        ]
+                      },
+                      "created": true
+                    }
+                  ]
+                })
+                .to_string(),
+            )
+            .unwrap()
+            .sign(
+                &Settings::signer().unwrap(),
+                "image/jpeg",
+                &mut Cursor::new(TEST_IMAGE),
+                &mut dest,
+            )
+            .unwrap();
+
+        dest.rewind().unwrap();
+
+        let reader = Reader::from_stream("image/jpeg", &mut dest).unwrap();
+        let active_manifest = reader.active_manifest().unwrap();
+
+        let actions_assertion = active_manifest
+            .assertions()
+            .iter()
+            .find(|assertion| assertion.label().starts_with(Actions::LABEL))
+            .unwrap();
+        assert!(actions_assertion.created());
+    }
 }

sdk/src/builder.rs

@@ -20,6 +20,7 @@ use std::{
 
 use async_generic::async_generic;
 use chrono::{DateTime, Utc};
+use coset::CoseSign1;
 use serde::{ser::SerializeStruct, Deserialize, Serialize, Serializer};
 use serde_json::{json, Map, Value};
 use uuid::Uuid;
@@ -1051,6 +1052,17 @@ impl Claim {
         &self.signature_val
     }
 
+    /// Returns the `COSE_Sign1_Tagged` structure found in the claim signature box.
+    pub fn cose_sign1(&self) -> Result<CoseSign1> {
+        let sig = self.signature_val();
+        let data = self.data()?;
+        let mut validation_log =
+            StatusTracker::with_error_behavior(ErrorBehavior::StopOnFirstError);
+
+        let sign1 = parse_cose_sign1(sig, &data, &mut validation_log)?;
+        Ok(sign1)
+    }
+
     /// get claim generator
     pub fn claim_generator(&self) -> Option<&str> {
         self.claim_generator.as_deref()

sdk/src/claim.rs

@@ -43,9 +43,9 @@ pub fn validator_for_signing_alg(alg: SigningAlg) -> Option<Box<dyn RawSignature
     }
 }
 
-pub(crate) fn validator_for_sig_and_hash_algs(
-    sig_alg: &Oid,
-    hash_alg: &Oid,
+pub(crate) fn validator_for_sig_and_hash_algs<T: AsRef<[u8]>, U: AsRef<[u8]>>(
+    sig_alg: &Oid<T>,
+    hash_alg: &Oid<U>,
 ) -> Option<Box<dyn RawSignatureValidator>> {
     if sig_alg.as_ref() == RSA_OID.as_bytes() {
         if hash_alg.as_ref() == SHA1_OID.as_bytes() {

sdk/src/crypto/raw_signature/openssl/validators/mod.rs

@@ -91,9 +91,9 @@ pub fn validator_for_signing_alg(alg: SigningAlg) -> Option<Box<dyn RawSignature
 }
 
 /// Select validator based on signing algorithm and hash type or EC curve.
-pub(crate) fn validator_for_sig_and_hash_algs(
-    sig_alg: &Oid,
-    hash_alg: &Oid,
+pub(crate) fn validator_for_sig_and_hash_algs<T: AsRef<[u8]>, U: AsRef<[u8]>>(
+    sig_alg: &Oid<T>,
+    hash_alg: &Oid<U>,
 ) -> Option<Box<dyn RawSignatureValidator>> {
     // Handle legacy RSA.
     if sig_alg.as_ref() == RSA_OID.as_bytes() {
@@ -394,17 +394,17 @@ mod tests {
 
     // Argh. Different Oid types across different crates, so we have to construct
     // our own constants here.
-    const RSA_OID: Oid = bcder::Oid(OctetString::from_static(&[
+    const RSA_OID: Oid<OctetString> = bcder::Oid(OctetString::from_static(&[
         42, 134, 72, 134, 247, 13, 1, 1, 1,
     ]));
 
-    const SHA256_OID: Oid =
+    const SHA256_OID: Oid<OctetString> =
         bcder::Oid(OctetString::from_static(&[96, 134, 72, 1, 101, 3, 4, 2, 1]));
 
-    const SHA384_OID: Oid =
+    const SHA384_OID: Oid<OctetString> =
         bcder::Oid(OctetString::from_static(&[96, 134, 72, 1, 101, 3, 4, 2, 2]));
 
-    const SHA512_OID: Oid =
+    const SHA512_OID: Oid<OctetString> =
         bcder::Oid(OctetString::from_static(&[96, 134, 72, 1, 101, 3, 4, 2, 3]));
 
     #[test]

sdk/src/crypto/raw_signature/rust_native/validators/mod.rs

@@ -231,21 +231,24 @@ fn ps512() {
 
 // Argh. Different Oid types across different crates, so we have to construct
 // our own constants here.
-const RSA_OID: Oid = bcder::Oid(OctetString::from_static(&[
+const RSA_OID: Oid<OctetString> = bcder::Oid(OctetString::from_static(&[
     42, 134, 72, 134, 247, 13, 1, 1, 1,
 ]));
 
-const SHA256_OID: Oid = bcder::Oid(OctetString::from_static(&[96, 134, 72, 1, 101, 3, 4, 2, 1]));
+const SHA256_OID: Oid<OctetString> =
+    bcder::Oid(OctetString::from_static(&[96, 134, 72, 1, 101, 3, 4, 2, 1]));
 
-const SHA384_OID: Oid = bcder::Oid(OctetString::from_static(&[96, 134, 72, 1, 101, 3, 4, 2, 2]));
+const SHA384_OID: Oid<OctetString> =
+    bcder::Oid(OctetString::from_static(&[96, 134, 72, 1, 101, 3, 4, 2, 2]));
 
-const SHA512_OID: Oid = bcder::Oid(OctetString::from_static(&[96, 134, 72, 1, 101, 3, 4, 2, 3]));
+const SHA512_OID: Oid<OctetString> =
+    bcder::Oid(OctetString::from_static(&[96, 134, 72, 1, 101, 3, 4, 2, 3]));
 
 #[cfg_attr(
     any(feature = "rust_native_crypto", target_arch = "wasm32"),
     allow(unused)
 )]
-const SHA1_OID: Oid = bcder::Oid(OctetString::from_static(&[43, 14, 3, 2, 26]));
+const SHA1_OID: Oid<OctetString> = bcder::Oid(OctetString::from_static(&[43, 14, 3, 2, 26]));
 
 #[test]
 #[cfg_attr(
@@ -359,8 +362,8 @@ fn sha1() {
 }
 
 #[allow(dead_code)]
-fn ans1_oid_bcder_oid(asn1_oid: &asn1_rs::Oid) -> bcder::Oid {
-    const TEST_FAIL: Oid = bcder::Oid(OctetString::from_static(&[0, 0, 0, 0]));
+fn ans1_oid_bcder_oid(asn1_oid: &asn1_rs::Oid) -> bcder::Oid<OctetString> {
+    const TEST_FAIL: Oid<OctetString> = bcder::Oid(OctetString::from_static(&[0, 0, 0, 0]));
 
     let asn1_oid_str = asn1_oid.to_id_string();
 
@@ -398,6 +401,6 @@ fn test_get_by_sig_and_alg() {
     assert!(validator_for_sig_and_hash_algs(&ed25519_oid, &sha512).is_some());
 
     // test negative case
-    const TEST_FAIL: Oid = bcder::Oid(OctetString::from_static(&[0, 0, 0, 0]));
+    const TEST_FAIL: Oid<OctetString> = bcder::Oid(OctetString::from_static(&[0, 0, 0, 0]));
     assert!(validator_for_sig_and_hash_algs(&TEST_FAIL, &sha512).is_none());
 }

sdk/src/crypto/raw_signature/tests/validators.rs

@@ -93,9 +93,9 @@ pub fn validator_for_signing_alg(alg: SigningAlg) -> Option<Box<dyn RawSignature
 ///
 /// Which validators are available may vary depending on the platform and
 /// which crate features were enabled.
-pub(crate) fn validator_for_sig_and_hash_algs(
-    sig_alg: &Oid,
-    hash_alg: &Oid,
+pub(crate) fn validator_for_sig_and_hash_algs<T: AsRef<[u8]>, U: AsRef<[u8]>>(
+    sig_alg: &Oid<T>,
+    hash_alg: &Oid<U>,
 ) -> Option<Box<dyn RawSignatureValidator>> {
     // TO REVIEW: Do we need any of the RSA-PSS algorithms for this use case?
     #[cfg(any(feature = "rust_native_crypto", target_arch = "wasm32"))]

sdk/src/crypto/raw_signature/validator.rs

@@ -118,6 +118,12 @@ pub struct Manifest {
     #[serde(skip_serializing_if = "Option::is_none")]
     label: Option<String>,
 
+    /// The [`CoseSign1::signature`] value.
+    ///
+    /// [`CoseSign1::signature`]: coset::CoseSign1::signature
+    #[serde(skip)]
+    signature: Option<Vec<u8>>,
+
     /// Indicates where a generated manifest goes
     #[serde(skip)]
     remote_manifest: Option<RemoteManifest>,
@@ -236,6 +242,12 @@ impl Manifest {
         self.signature_info.as_ref()
     }
 
+    /// Returns the signature field of the `COSE_Sign1_Tagged` structure found in the
+    /// claim signature box.
+    pub fn signature(&self) -> Option<&[u8]> {
+        self.signature.as_deref()
+    }
+
     /// Returns the parent ingredient if it exists.
     pub fn parent(&self) -> Option<&Ingredient> {
         self.ingredients.iter().find(|i| i.is_parent())
@@ -368,6 +380,10 @@ impl Manifest {
             format: claim.format().map(|s| s.to_owned()),
             instance_id: claim.instance_id().to_owned(),
             label: Some(claim.label().to_owned()),
+            signature: claim
+                .cose_sign1()
+                .ok()
+                .map(|cose_sign1| cose_sign1.signature),
             ..Default::default()
         };